bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
@ 2017-07-24 18:57 Leo Famulari
  2017-07-25 15:26 ` Alex Sassmannshausen
  0 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2017-07-24 18:57 UTC (permalink / raw)
  To: 27808

[-- Attachment #1: Type: text/plain, Size: 357 bytes --]

Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145

This one looks especially bad:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362

Can someone please take a look at this?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
  2017-07-24 18:57 bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Leo Famulari
@ 2017-07-25 15:26 ` Alex Sassmannshausen
  2017-07-25 18:41   ` Leo Famulari
  0 siblings, 1 reply; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-07-25 15:26 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 27808

Hi Leo,

I've just submitted a patch to update PHP to version 7.1.7, which
resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
(but also on the previous version), so I could not fully build it
(disabling tests results in a working version of PHP).

The relevant patch is at 27826. If someone could try building it, on
x86_64 then we could be sure it's just my local environment that messes
things up…

Alex

Leo Famulari writes:

> Apparently our PHP package is vulnerable to CVE-2017-11144,
> CVE-2017-11145, and CVE-2017-11362:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145
>
> This one looks especially bad:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362
>
> Can someone please take a look at this?

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
  2017-07-25 15:26 ` Alex Sassmannshausen
@ 2017-07-25 18:41   ` Leo Famulari
  2017-07-25 19:44     ` Alex Sassmannshausen
  0 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2017-07-25 18:41 UTC (permalink / raw)
  To: Alex Sassmannshausen; +Cc: 27808

[-- Attachment #1: Type: text/plain, Size: 1055 bytes --]

On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
> Hi Leo,
> 
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).

I got this building with that patch:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
=====================================================================

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
  2017-07-25 18:41   ` Leo Famulari
@ 2017-07-25 19:44     ` Alex Sassmannshausen
  2017-07-31 15:32       ` bug#27808: [bug#27826] " Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-07-25 19:44 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 27826, 27808


> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>> Hi Leo,
>> 
>> I've just submitted a patch to update PHP to version 7.1.7, which
>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>> (but also on the previous version), so I could not fully build it
>> (disabling tests results in a working version of PHP).
>
> I got this building with that patch:
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
> =====================================================================

OK that's what I've got too.

I guess it will need some investigation… :-(

Thanks for testing!

Alex

Leo Famulari writes:

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
  2017-07-25 19:44     ` Alex Sassmannshausen
@ 2017-07-31 15:32       ` Ludovic Courtès
  2017-07-31 16:22         ` Alex Sassmannshausen
  0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2017-07-31 15:32 UTC (permalink / raw)
  To: Alex Sassmannshausen; +Cc: 27826, 27808

Hi Alex,

Alex Sassmannshausen <alex@pompo.co> skribis:

>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>> Hi Leo,
>>> 
>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>> (but also on the previous version), so I could not fully build it
>>> (disabling tests results in a working version of PHP).
>>
>> I got this building with that patch:
>>
>> =====================================================================
>> FAILED TEST SUMMARY
>> ---------------------------------------------------------------------
>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>> =====================================================================
>
> OK that's what I've got too.
>
> I guess it will need some investigation… :-(

Any update?  :-)

Would be good not to leave the vulnerable version in the distro.

TIA,
Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
  2017-07-31 15:32       ` bug#27808: [bug#27826] " Ludovic Courtès
@ 2017-07-31 16:22         ` Alex Sassmannshausen
  2017-08-20 20:10           ` Alex Sassmannshausen
  2017-08-20 20:11           ` Alex Sassmannshausen
  0 siblings, 2 replies; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-07-31 16:22 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 27826, 27808


Ludovic Courtès writes:

> Hi Alex,
>
> Alex Sassmannshausen <alex@pompo.co> skribis:
>
>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>> Hi Leo,
>>>>
>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>> (but also on the previous version), so I could not fully build it
>>>> (disabling tests results in a working version of PHP).
>>>
>>> I got this building with that patch:
>>>
>>> =====================================================================
>>> FAILED TEST SUMMARY
>>> ---------------------------------------------------------------------
>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>> =====================================================================
>>
>> OK that's what I've got too.
>>
>> I guess it will need some investigation… :-(
>
> Any update?  :-)
>
> Would be good not to leave the vulnerable version in the distro.

Agreed, though I am in no position to investigate this. I was going to
propose a patch that disabled those 4 tests, but I will need to
investigate how to do that.  So at the earliest I could contribute those
patches this weekend.

Alex

>
> TIA,
> Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
  2017-07-31 16:22         ` Alex Sassmannshausen
@ 2017-08-20 20:10           ` Alex Sassmannshausen
  2017-08-20 20:11           ` Alex Sassmannshausen
  1 sibling, 0 replies; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-08-20 20:10 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 27826, 27808

Hi

I believe this issue is now resolved as Julien Lepiller seems to have
pushed a working version of PHP 7.1.8 on 3 August with commit
1cec3462323717e063c98b6404e9c5c5ef037bdd.

I will try to close the bugs (27826 & 27808).

Alex

Alex Sassmannshausen writes:

> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update?  :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that.  So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#27808: [bug#27826] bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
  2017-07-31 16:22         ` Alex Sassmannshausen
  2017-08-20 20:10           ` Alex Sassmannshausen
@ 2017-08-20 20:11           ` Alex Sassmannshausen
  1 sibling, 0 replies; 8+ messages in thread
From: Alex Sassmannshausen @ 2017-08-20 20:11 UTC (permalink / raw)
  To: 27826-done, 27808-done


Closing as resolved in commit 1cec3462323717e063c98b6404e9c5c5ef037bdd.

Alex

Alex Sassmannshausen writes:

> Ludovic Courtès writes:
>
>> Hi Alex,
>>
>> Alex Sassmannshausen <alex@pompo.co> skribis:
>>
>>>> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
>>>>> Hi Leo,
>>>>>
>>>>> I've just submitted a patch to update PHP to version 7.1.7, which
>>>>> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
>>>>> (but also on the previous version), so I could not fully build it
>>>>> (disabling tests results in a working version of PHP).
>>>>
>>>> I got this building with that patch:
>>>>
>>>> =====================================================================
>>>> FAILED TEST SUMMARY
>>>> ---------------------------------------------------------------------
>>>> Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
>>>> Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
>>>> Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
>>>> Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
>>>> =====================================================================
>>>
>>> OK that's what I've got too.
>>>
>>> I guess it will need some investigation… :-(
>>
>> Any update?  :-)
>>
>> Would be good not to leave the vulnerable version in the distro.
>
> Agreed, though I am in no position to investigate this. I was going to
> propose a patch that disabled those 4 tests, but I will need to
> investigate how to do that.  So at the earliest I could contribute those
> patches this weekend.
>
> Alex
>
>>
>> TIA,
>> Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2017-08-20 20:12 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-24 18:57 bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 Leo Famulari
2017-07-25 15:26 ` Alex Sassmannshausen
2017-07-25 18:41   ` Leo Famulari
2017-07-25 19:44     ` Alex Sassmannshausen
2017-07-31 15:32       ` bug#27808: [bug#27826] " Ludovic Courtès
2017-07-31 16:22         ` Alex Sassmannshausen
2017-08-20 20:10           ` Alex Sassmannshausen
2017-08-20 20:11           ` Alex Sassmannshausen

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).